As many as 12 million websites powered by the Drupal 7 open source content management platform may have been compromised by cyber attacks exploiting the system’s database management system. Since Drupal is widely used by major brands worldwide - news agencies, defense industry and government, including the White House websites, security experts are concerned that its exposure that could lead to daisy-chain propagation of this cyber infection.

As many as 12 million websites powered by the Drupal 7 open source content management platform may have been compromised by cyber attacks exploiting the system’s database management system. Since Drupal is widely used by major brands worldwide – news agencies, defense industry and government, including the White House websites, security experts are concerned that its wide exposure that could lead to daisy-chain propagation of this cyber infection.

Since Drupal is widely used by major brands worldwide, including news agencies, government and defense industry sites, security experts are concerned that its exposure that could lead to daisy-chain propagation of this cyber infection. There was no report that the white house website was compromised. The image is brought only for illustration purpose. Image: Drupal website

The open source content management system developer Drupal identified the malware on October 15, and immediately provided an upgrade (7.32) and patch to block the vulnerability but apparently the cyber attack was faster and more decisive than 12 million users – However, two weeks later, Drupal added another warning to its users. Multiple exploits have been reported in the wild following the release of this security advisory, any Drupal 7 site which did not update within seven hours after the advisory was released should be considered as compromised”. Drupal said in an unprecedented announcement. “Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.” the warning said.

Finding your website ‘patched’ is not a relief either, Drupal warned. “If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.” The vulnerability made it possible for attackers to seize control of a server or use websites to infect unsuspecting users with malware.

“Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack”

For websites infected by the malware Drupal recommends to take drastic actions up to complete site restoration from sanitised, non infected backups on a new server. (guidance)

Open systems and content management systems are becoming an increasingly popular target for cyber attacks. Some are targeting the content management system itself such as Drupal and WordPress, others target the infrastructure controlling the servers, such as the Unix open source operating system, which was targeted a month ago by the Shel Shock vulnerability, used to build botnets that can launch Distributed Denial of Service (DDoS) attacks as well as spread malware. Heartbleed, another malware targeting open systems was uncovered in April this year, targeting the open source security encryption service used for secure site access.

“any Drupal 7 site which did not update within seven hours after the advisory was released should be considered as compromised”

“This is a recipe for disaster,”Daniel Cid, chief technology officer and founder of website security firm Sucuri said in a blog post. “If it’s true and those websites are in fact compromised, they could be leveraged and daisy chained for a massive malware distribution campaign. Take that into consideration with the size and audience of brands and the impact grows exponentially.”

Defense-Update is not operating on the Drupal system but has taken extremely harsh measures to protect its systems and secure its service, maintaining the information safety and security of our subscribers and visitors.